Difference between revisions of "Preparing a client certificate"

From SNIC Documentation
Jump to: navigation, search
m (chmod .globus)
(Use certs.p12 as name for uniformity between docs)
(3 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 
[[Category:Grid computing]]
 
[[Category:Grid computing]]
 
[[Category:SweGrid user guide]]
 
[[Category:SweGrid user guide]]
[[Category:SweStore]]
+
[[Category:Swestore]]
[[Category:SweStore user guide]]
+
[[Category:Swestore user guide]]
[[SweStore|< SweStore]]
+
 
 +
[[Getting started with SweGrid|< Getting started with SweGrid]]
 +
 
 +
[[Swestore|< Swestore]]
  
 
Most of the standalone third party tools installed on SNIC resources and your own machine will not be able to use a <tt>.p12</tt> certificate bundle (or <tt>.pfx</tt> if you exported from IE), as that format is intended primarily for secure transport and backup of certificates and their private keys.
 
Most of the standalone third party tools installed on SNIC resources and your own machine will not be able to use a <tt>.p12</tt> certificate bundle (or <tt>.pfx</tt> if you exported from IE), as that format is intended primarily for secure transport and backup of certificates and their private keys.
Line 15: Line 18:
 
The goal is to end up with a <tt>.globus</tt> directory in your home directory, containing two files named <tt>usercert.pem</tt> and <tt>userkey.pem</tt>.
 
The goal is to end up with a <tt>.globus</tt> directory in your home directory, containing two files named <tt>usercert.pem</tt> and <tt>userkey.pem</tt>.
  
The instructions below assume that your exported certificate file is named <tt>export.p12</tt> directly in your home directory. If it's a <tt>.pfx</tt> or with a different name, change <tt>export.p12</tt> in the instructions to your actual filename or rename your file to <tt>export.p12</tt>.
+
The instructions below assume that your exported certificate file is named <tt>certs.p12</tt> directly in your home directory. If it's a <tt>.pfx</tt> or with a different name, change <tt>certs.p12</tt> in the instructions to your actual filename or rename your file to <tt>certs.p12</tt>.
  
* Transfer the <tt>export.p12</tt> file to your home directory on the cluster.
+
* Transfer the <tt>certs.p12</tt> file to your home directory on the cluster.
 
* Get an interactive shell on the login node, via ssh.
 
* Get an interactive shell on the login node, via ssh.
 
* If an .globus directory already exists, rename it with something like
 
* If an .globus directory already exists, rename it with something like
Line 24: Line 27:
 
   <tt>mkdir ~/.globus</tt>
 
   <tt>mkdir ~/.globus</tt>
 
   <tt>chmod 0700 ~/.globus</tt>
 
   <tt>chmod 0700 ~/.globus</tt>
* Extract and protect the private key part of <tt>export.p12</tt>:
+
* Extract and protect the private key part of <tt>certs.p12</tt>:
   openssl pkcs12 -nocerts -in ~/export.p12 -out ~/.globus/userkey.pem
+
   openssl pkcs12 -nocerts -in ~/certs.p12 -out ~/.globus/userkey.pem
 
* When asked for import password, specify the password specified when exporting the certificate bundle from your browser. The PEM pass phrase should be a new password that you need to provide whenever using the certificate for tasks like generating a proxy certificate. The output from this command will be similar to the following:
 
* When asked for import password, specify the password specified when exporting the certificate bundle from your browser. The PEM pass phrase should be a new password that you need to provide whenever using the certificate for tasks like generating a proxy certificate. The output from this command will be similar to the following:
 
   Enter Import Password: *******
 
   Enter Import Password: *******
Line 32: Line 35:
 
   Verifying - Enter PEM pass phrase: *******
 
   Verifying - Enter PEM pass phrase: *******
  
* Extract the public client certificate part of <tt>export.p12</tt>:
+
* Extract the public client certificate part of <tt>certs.p12</tt>:
   openssl pkcs12 -clcerts -nokeys -in ~/export.p12 -out ~/globus/usercert.pem
+
   openssl pkcs12 -clcerts -nokeys -in ~/certs.p12 -out ~/.globus/usercert.pem
 
* The output will be similar to the following:
 
* The output will be similar to the following:
 
   Enter Import Password: *******
 
   Enter Import Password: *******

Revision as of 14:16, 30 March 2022


< Getting started with SweGrid

< Swestore

Most of the standalone third party tools installed on SNIC resources and your own machine will not be able to use a .p12 certificate bundle (or .pfx if you exported from IE), as that format is intended primarily for secure transport and backup of certificates and their private keys.

Instead of a single .p12 file, they expect a pair of files in .pem format, one containing the certificate and the other containing the private key that matches the certificate.

Uploading and conversion of the .p12 for your target machine

As the authentication methods for clusters differ, this section will defer to documentations for your particular site when it comes to transferring files to and from the cluster storage.

The goal is to end up with a .globus directory in your home directory, containing two files named usercert.pem and userkey.pem.

The instructions below assume that your exported certificate file is named certs.p12 directly in your home directory. If it's a .pfx or with a different name, change certs.p12 in the instructions to your actual filename or rename your file to certs.p12.

  • Transfer the certs.p12 file to your home directory on the cluster.
  • Get an interactive shell on the login node, via ssh.
  • If an .globus directory already exists, rename it with something like
 mv ~/.globus ~/.globus-old
  • Create the directory with
 mkdir ~/.globus
 chmod 0700 ~/.globus
  • Extract and protect the private key part of certs.p12:
 openssl pkcs12 -nocerts -in ~/certs.p12 -out ~/.globus/userkey.pem
  • When asked for import password, specify the password specified when exporting the certificate bundle from your browser. The PEM pass phrase should be a new password that you need to provide whenever using the certificate for tasks like generating a proxy certificate. The output from this command will be similar to the following:
 Enter Import Password: *******
 MAC verified OK
 Enter PEM pass phrase: *******
 Verifying - Enter PEM pass phrase: *******
  • Extract the public client certificate part of certs.p12:
 openssl pkcs12 -clcerts -nokeys -in ~/certs.p12 -out ~/.globus/usercert.pem
  • The output will be similar to the following:
 Enter Import Password: *******
 MAC verified OK
  • Finally ensure that only your user is allowed to read the private key file. This is important, both for security and due to some tools refusing to use private keys with insufficient restrictions.
 chmod 0400 ~/.globus/userkey.pem